Saturday, August 30, 2025

Windows 11 Home Registry Size, Number of Keys, Values

Here's some basic questions about registry size for Windows 11 Home default installation with Office Home Edition.






This is an excellent backgrounder on Registry.

  1. https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventure-4-hives.html
  2. Windows Registry Forensics Cheat Sheet 2025 - Cyber Triage
  3. Metadata Consulting [dot] ca - Blog: Windows 10 Registry Size, Number of Keys, Values
  4. RegToText - Registry to Text Utility


Here some stats on how large the registry is

DU v1.62 - Directory disk usage reporter
Copyright (C) 2005-2018 Mark Russinovich
Sysinternals - www.sysinternals.com


Totals:
Files:        160
Directories:  1
Size:         253,415,744 bytes
Size on disk: 253,748,904 bytes or  242.01 MB on disk


Raw Counts for Entire Registry Export file

File Name    Size    

---------    ----    

win11org.reg 515.71 MB


Number of Subkey paths in registry export file. Line starts with [

698591

Number of Default key/value pairs in registry export file. Line starts with @ (default) key

290280

Number of Named key/value pairs in registry export file. Line starts with " a named key

902551

Total Number of key/value pairs in registry export file. Line starts with @ (default) key or " a named key

1,192,831

There are 1,192,866 registry paths. 

Counts this included keys and values, can also be empty keys! 
There are 70,145 plain keys/paths, that have no key/value pairs under them.

Dureg Command


C:\Program Files (x86)\Resource Kit>dureg /a

Size of HKEY_CLASSES_ROOT   :   33,754,161
Size of HKEY_USERS          :   10,603,222
Size of HKEY_LOCAL_MACHINE  :   74,425,586

    Total Registry data size:    118,782,969   

You can get dureg here....

https://web.archive.org/web/20060415040835/http://download.microsoft.com/download/win2000platform/WebPacks/1.00.0.1/NT5/EN-US/Dureg.exe


Depth of keys 


Depth counts number of 'subdirectories' for a key. For example this key below, would have a depth of 7 (don't count top hive HKEY_LOCAL_MACHINE).  

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner] 

1	2	0.00%
2	14	0.00%
3	943	0.13%
4	7083	1.01%
5	55661	7.97%
6	181103	25.92%
7	121044	17.33%
8	83524	11.96%
9	56718	8.12%
10	84210	12.05%
11	25604	3.67%
12	31723	4.54%
13	30203	4.32%
14	8822	1.26%
15	3673	0.53%
16	4814	0.69%
17	1440	0.21%
18	946	0.14%
19	573	0.08%
20	209	0.03%
21	34	0.00%
22	67	0.01%
23	65	0.01%
24	42	0.01%
25	58	0.01%
26	8	0.00%
27	4	0.00%
28	4	0.00%
	698591	




Registry Types for Win11



Strange news values in registry ? 

"SCO Support Level"=hex(200000):
"ManufacturerName"=hex(20004)
"WUDF"=hex(100000):


These are all the windows registry types that appear in .reg file are translated. 


"value"
alias hex(1)
Default or blankString value data with escape characters
hex
alias hex(3)
REG_BINARYBinary data (any arbitrary data, override interpolated by /e, if not found by Mozilla Universal Charset Detector library)
dword
alias hex(4)
REG_DWORDA 32-bit unsigned integer coded in little-endian format
hex(0)REG_NONENo type (the stored value, if any)
hex(1)REG_SZA string value, normally stored and exposed in UTF-16LE (when using the Unicode version of Win32 API functions), usually terminated by a NUL character
hex(2)EXPAND_SZAn “expandable” string value that can contain environment variables, normally stored and exposed in UTF-16LE, usually terminated by a NUL character
hex(3)REG_BINARYBinary data (any arbitrary data, override interpolated by /e, if not found by Mozilla Universal Charset Detector library)
hex(4)
REG_DWORD_LITTLE_ENDIAN
equivalent to
 REG_DWORD 
A 32-bit unsigned integer coded in little-endian format
hex(5)REG_DWORD_BIG_ENDIANA 32-bit unsigned integer coded in big-endian format
hex(6)REG_LINKA symbolic link (UNICODE) to another Registry key, specifying a root key and the path to the target key
hex(7)REG_MULTI_SZA multi-string value, which is an ordered list of non-empty strings, normally stored and exposed in UTF-16LE, each one terminated by a NUL character, the list being normally terminated by a second NUL character.
hex(8)REG_RESOURCE_LISTA resource list, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_cm_resource_list
hex(9)REG_FULL_RESOURCE_DESCRIPTORA resource descriptor, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_cm_full_resource_descriptor
hex(a)REG_RESOURCE_REQUIREMENTS_LISTA resource requirements list, as specified https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_io_resource_requirements_list
hex(b)REG_QWORD_LITTLE_ENDIAN
equivalent to
 REG_QWORD 
A 64-bit integer little-endian (introduced in Windows XP)



To convert these values to text get my tool at RegToText - Registry to Text Utility






















 

Thursday, August 28, 2025

BMO Phishing email with subject BMO Security Alert

For the record, this is BMO phishing email attempt that is recently going around, with subject "BMO Security Alert" What to do?  Report them, goto bottom of page. 


From : BMO Bаnk Of Mоntrеаl <stoffregen@tron.mexoliehotel.co.id>
Subject : BMO Security Alert.

Outlook has identified this email from an unknown source and it when to junk folder.






PHISHING LINKs;

1. Hover over image
https://sl.ut.ac.id/xxxx 


How to tell this is a Phishing email ?

  1. Check email address in full, if it's not from originating company then it's phishing.
  2. Hover over all links in email, if it's not from the  company's website then forget it.
  3. The best way is to 

How to examine Email Message Source ?

Now lets look at message source
  1. Outlook.com->Actions->View Message Source. 
  2. Gmail.com->More (down arrow to top right)->Show original.
Check for suspicious links, anything that does not originate from apple.com.


Report Phishing Email (not as Spam)

  1. Outlook.com->Junk (at Top)->Phishing Scam
  2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have recievied this email take further 

  1. https://www.google.com/safebrowsing/report_phish/


Report phishing at Microsoft and government agencies

  1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Thursday, August 14, 2025

Are Macs, Linux safer than Windows PCs - 2025 Update

You would be amazed at how many people believe and how Apple Store representatives perpetuate the following myth;

"Mac's don't need an anti-virus solution". It's a Mac, it's safe by design. 

FYI, Macs (5% of marketplace) come with XProtect which is an antivirus(AV) software. XProtect is not well known. It's a lightweight, behind-the-scenes guardian which uses only signature-based (known threats only) rules. 

Windows (75% of marketplace) comes with Microsoft Defender is a full-featured antivirus and anti-malware suite and uses signature-based + behavioral analysis + cloud protection rules.

Linux (4% of marketplace) does not have a default AV. The common free (sudo apt install clamav) ClamAV, which is signature-based and has basic heuristic capabilities. ClamAV can perform on-access scanning and process memory scanning, though these features require setup and aren’t enabled by default. ClamAV is open-source but was purchased by Cisco Systems Inc. in 2013.

The problem with signature-based solution is you are always behind and have to play catch-up. Any new malware will easily spread before it's identified and quarantined.

Generally speaking, according to the Common Vulnerabilities and Exposures (CVE) All Time Board (see image below) macOS and Windows are virtually tied for number of vulnerabilities.

Android and IPhone have more vulnerabilities, and do not have any antivirus built-in, but are full blown computers (see Phone Security Brief).  

TL;DR

Don't surf on your phone, or bank on it. Use a desktop and buy the best malware antivirus solution available.

Phone Security Brief

It might seem strange that Kaspersky Lab doesn’t offer an antivirus app for iOS, but there’s a good reason: Apple doesn’t allow any proper antivirus apps into the App Store, saying “Apple designed the iOS platform with security at its core” and that the operating system does not need an antivirus utilityAn antivirus for iPhone — does it even exist? | Kaspersky official blog

Both Android and IOS market their security using sandboxing, which is a good technique but has not prevented the number of vulnerabilities for attack. Again, phone companies, will never tell your phone needs an antivirus, even though it's a full blow computer. Open up a  Mac Book Air and inside is an iPhone. According to ESET, Android malware attacks surged by 160% in the first half of 2025. A major contributor is the "Kaleidoscope" ad fraud operation, and drive-by malware that require no-click activation (this would be block by an AV). So major AV players just added AV into browsers, that's how they got around phone restrictions. See below for more info.

Case in point: Aug 21, 2025 - Drive-by image malware. Zero-day means A flaw in a system that hasn’t been discovered or patched yet (not in signatures). Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks (thehackernews.com)

July 8, 2025 - https://www.bleepingcomputer.com/news/security/android-malware-anatsa-infiltrates-google-play-to-target-us-banks/

CVE All Time Leaders Board



















Source: Top 50 products having highest number of cve security vulnerabilities (cvedetails.com)


Mac OS X covers a longer historical period, including older versions like Leopard, Snow Leopard, etc.

macOS versions (like Catalina (2019), Big Sur, Monterey) benefit from more advanced security features and sandboxing.


Phone Security Details

Sandboxing implementation for phones, neither promote or have a built-in antivirus, for fear of bad publicity and performance.

Android

  • Kernel-Level Sandbox: Each app runs with a unique Linux UID, isolating it at the process level using standard UNIX-style permissions.

  • SELinux Enforcement: Since Android 5.0, SELinux adds mandatory access control, and by Android 9, each app gets its own SELinux context.

  • Seccomp Filters: Android 8.0 introduced syscall filtering to limit what apps can do at the kernel level.

  • App Runtime (ART): Replaced Dalvik VM, offering process-level isolation and performance optimization.

iOS

  • Strict App Sandboxing: Every app is confined to its own directory with limited access to system resources and other apps.

  • Entitlements System: Apps must declare specific permissions (e.g., access to iCloud or camera), which are cryptographically signed and enforced.

  • ASLR & Execute Never (XN): Memory protection techniques like Address Space Layout Randomization and marking memory pages as non-executable prevent code injection attacks.


🔐 iOS App Security

Strengths:

  • Closed ecosystem: Apple tightly controls the App Store, vetting apps for malware and enforcing strict privacy guidelines.

  • Sandboxing: Apps are isolated from each other and the system, reducing the risk of cross-app data leaks.

  • Frequent updates: Apple supports older devices longer, ensuring timely security patches.

  • Privacy-first features: iOS includes indicators for microphone/camera use, approximate location sharing, and tracker blocking in Safari.

Weaknesses:

  • Limited customization: Users have less control over app permissions compared to Android.

  • Apple-centric data flow: A study found iPhones send more data to Apple servers than Android does to Google—but less to third parties.

🔐 Android App Security

Strengths:

  • Customizability: Users can fine-tune app permissions and install apps from outside the Play Store.

  • Security platforms: Some manufacturers (e.g., Samsung with Knox) offer enhanced device-level security.

  • Google Play Protect: Scans apps for malware, though effectiveness varies.

Weaknesses:

  • Fragmentation: Different manufacturers and OS versions lead to inconsistent security updates.

  • Third-party exposure: Android apps tend to send more data to external servers, including those in countries with questionable privacy laws.

  • Higher malware risk: Open app ecosystem makes Android more vulnerable to malicious apps.



Original post in 2016